New Research Says Chrome Browser "Most Secured" Against Attacks

Which Web Browser is the Most Secure? New Research Tests How Web Browsers Stand Up Against Today's Web-based Threats

Security research firm Accuvant, today released the results a study comparing the security of the three most widely used web browsers – Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer.

In its research, the Accuvant LABS team tried to determine which browser best secures against attackers. The research firm says it used a “completely different and more extensive methodology than previous, similar studies.”

“We compared web browsers from a layered perspective, taking into account security architecture and anti-exploitation techniques,” said Chris Valasek, Accuvant LABS senior research scientist. “Like antivirus or anti-malware software, each provides an additional layer of defense. This methodology requires a greater depth of technical expertise than statistical analysis of vulnerabilities, and also provides a more accurate window into the security of each browser.”

So which browser turned out to be the most secure? Accuvant said that Google Chrome is currently the browser that is most secured against attacks. Ironically, Google commissioned Accuvant to perform the comparison, but the results and testing methodology are available for anyone to see, and Accuvant is a highly respected firm, so I don’t assume the results to be skewed in favor of Chrome, despite Google’s funding of the undertaking.

As the report notes, sandboxes are quickly becoming standard best practice within many popular applications. The report said that Google’s Chrome provided the most restrictive sandbox, limiting almost all interaction with the OS to the broker process. “Internet Explorer has made valiant first steps at a sandbox by using the low integrity functionality to restrict IE tabs’ persistence abilities on the system in the event of a compromise,” the report says. “Unfortunately, the low integrity mechanism permits read access to most resources, unrestricted network accessibility and a multitude of ways to alter the system state. Lastly, Firefox has yet to implement any formal sandbox, relying solely upon the process running as medium integrity; giving it the ability to perform any action of a non-administrator.”

Chrome was also credited with releasing updates more frequently than both Mozilla and Microsoft. In terms of time to patch a reported vulnerability, Chrome was fastest, while Microsoft was the slowest. Accuvant suggests that because Internet Explorer is deeply integrated with the Windows operating system, changes in Internet Explorer can have repercussions throughout a much larger code base, adding to the time it takes to create a stable and tested patch.

In terms of URL blacklisting, technology that helps block agains potentially malicious sites, including phishing sites and sites serving up malware, the report said that blacklisting services offered by all three browsers will stop fewer attacks than will go undetected.

"Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti- exploitation technologies, but Mozilla Firefox lags behind without JIT hardening," the report notes. "While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack," the report concluded.

The full report, “Browser Security Comparison: A Quantitative Approach,” as well as all of the data presented within the document and the tools used to generate the data, are available for download here. The report is a great read and highly suggested for anyone in an IT security related role.

For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.